From martin.pitt@canonical.com Tue Aug 23 11:56:45 2005 From: Martin Pitt To: ubuntu-security-announce@lists.ubuntu.com Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Date: Tue, 23 Aug 2005 17:51:13 +0200 Subject: [Full-disclosure] [USN-172-1] lm-sensors vulnerability =========================================================== Ubuntu Security Notice USN-172-1 August 23, 2005 lm-sensors vulnerabilities https://bugzilla.ubuntu.com/show_bug.cgi?id=13887 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: lm-sensors The problem can be corrected by upgrading the affected package to version 2.8.8-7ubuntu2.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Javier Fernández-Sanguino Peña noticed that the pwmconfig script created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with full root privileges since pwmconfig is usually executed by root. Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/lm-sensors_2.8.8-7ubuntu2.1.diff.gz Size/MD5: 28002 78649f71071530897671aec9d90530bc http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/lm-sensors_2.8.8-7ubuntu2.1.dsc Size/MD5: 659 2e17dd3a420f2be9fee42ba8932acc93 http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/lm-sensors_2.8.8.orig.tar.gz Size/MD5: 820983 95cdb083b4d16e2419a2c78b35f608d0 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/libsensors-dev_2.8.8-7ubuntu2.1_amd64.deb Size/MD5: 94266 927658de6c8c8dfd592bbd6ea4a2ebf6 http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/libsensors3_2.8.8-7ubuntu2.1_amd64.deb Size/MD5: 81466 e216f3ac2e5b40dcf3c80a0dedfdddaa http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/lm-sensors_2.8.8-7ubuntu2.1_amd64.deb Size/MD5: 467670 e5593dcddbe395f31966b58dd0ff8d6e http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/sensord_2.8.8-7ubuntu2.1_amd64.deb Size/MD5: 54554 f69b44c19c1d6640291a140a172d124b i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/libsensors-dev_2.8.8-7ubuntu2.1_i386.deb Size/MD5: 88018 f1f90add89d25e99cc1c12f62a4652f4 http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/libsensors3_2.8.8-7ubuntu2.1_i386.deb Size/MD5: 73074 551f33f59451ab244e972bf5cd77b200 http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/lm-sensors_2.8.8-7ubuntu2.1_i386.deb Size/MD5: 464566 3175fceb85c4f8500d325b551e600e6c http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/sensord_2.8.8-7ubuntu2.1_i386.deb Size/MD5: 52492 067285384debd4bfcd5ca87083d51e3d powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/libsensors-dev_2.8.8-7ubuntu2.1_powerpc.deb Size/MD5: 100452 cd698db9856bfe43c20e4b359372a592 http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/libsensors3_2.8.8-7ubuntu2.1_powerpc.deb Size/MD5: 79554 899763c092e6497a64437aba12cc07f0 http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/lm-sensors_2.8.8-7ubuntu2.1_powerpc.deb Size/MD5: 468262 bb280b3c35f59386bad25e332a91c969 http://security.ubuntu.com/ubuntu/pool/main/l/lm-sensors/sensord_2.8.8-7ubuntu2.1_powerpc.deb Size/MD5: 55752 d1c2efe66350314ed725713885d23e95 [ Part 1.2, "Digital signature" Application/PGP-SIGNATURE ] [ 196bytes. ] [ Unable to print this part. ] [ Part 2: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/